{
 "cells": [
  {
   "attachments": {},
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Pulsedive Lookup with MSTICPy\n",
    "\n",
    "Author: Thomas Roccia | [@fr0gger_](https://twitter.com/fr0gger_)\n",
    "\n",
    "The Pulsedive Lookup module in MSTICPy allows you to easily access the Pulsedive threat intelligence platform from within your Python scripts. With this module, you can search, scan, and enrich IPs, URLs, domains, and other Indicator of Compromise (IOC) from Open Source Intelligence (OSINT) feeds or even submit your own data.\n",
    "\n",
    "This notebook serves as a demonstration of how to use the Pulsedive module in MSTICpy to perform threat enrichment tasks. With this module, you can quickly and easily retrieve information about known threats, scan indicators for potential threats, and explore the Pulsedive database using various search criteria.\n",
    "\n",
    "To learn more about the Pulsedive API and the various functions available through the module, please visit the official Pulsedive API documentation at https://pulsedive.com/api/. \n",
    "\n",
    "\n",
    "The Pulsedive support in MSTICPy has two components\n",
    "- A regular TI Provider invoked using TILookup or Pivot functions\n",
    "- The `PDLookup` class, which has other operations and lookup types\n",
    "  available."
   ]
  },
  {
   "attachments": {},
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Pulsedive configuration and API Key\n",
    "\n",
    "Before you can use the Pulsedive API you must create\n",
    "an account at the site and obtain and API key. You can\n",
    "use the API key interactively or configure \n",
    "a `Pulsedive` entry in your `msticpyconfig.yaml`\n",
    "\n",
    "```yaml\n",
    "TIProviders:\n",
    "  ...\n",
    "  Pulsedive:\n",
    "    Args:\n",
    "      AuthKey: your_pd_api_key\n",
    "    Primary: True\n",
    "    Provider: Pulsedive\n",
    "```"
   ]
  },
  {
   "attachments": {},
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## MSTICPy TILookup and Pulsedive\n",
    "\n",
    "\n",
    "Adding a configuration for Pulsedive to `msticpyconfig.yaml`\n",
    "also adds Pulsedive as a regular MSTICPy TI Provider that you\n",
    "can use as follows:\n",
    "\n",
    "```python\n",
    "\n",
    "ti_lookup = TILookup()\n",
    "single_result = ti_lookup.lookup_ioc(\"21.3.4.5\", providers=[\"Pulsedive\"])\n",
    "\n",
    "# multiple observables - you can include multiple observable types\n",
    "# in the same list\n",
    "ip_list = [\"21.3.4.5\", \"19.8.7.6\", \"201.45.178.2\", ...]\n",
    "ti_lookup.lookup_iocs(my_ip_list, providers=[\"Pulsedive\"])\n",
    "```\n",
    "\n",
    "If you supply no value for `providers`, all configured providers will\n",
    "be used.\n",
    "\n",
    "You can also use the MSTICPy pivot interface to lookup\n",
    "specific observable types:\n",
    "\n",
    "```python\n",
    "IpAddress.ti.lookup_ip(ip_list)\n",
    "```"
   ]
  },
  {
   "attachments": {},
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Initializing the PDlookup class\n",
    "\n",
    "The PDLookup class lets you perform operations\n",
    "in Pulsedive, beyond simple indicator lookup, such\n",
    "as: threat lookup, domain scanning, and the Pulsedive query explorer\n",
    "interface."
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "metadata": {},
   "outputs": [],
   "source": [
    "# import the Pulsedive module\n",
    "from msticpy.context.tiproviders.pulsedive import PDlookup"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 2,
   "metadata": {},
   "outputs": [],
   "source": [
    "# Use the PDlookup class to get more details about the IOC. Specify your API key here.\n",
    "pdlookup = PDlookup(pd_key='')"
   ]
  },
  {
   "attachments": {},
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Lookup IOC\n",
    "\n",
    "The lookup_ioc function is used to request data from the Pulsedive API by providing an observable and a Pulsedive type. The observable is the specific data being requested, such as a domain name or IP, and the Pulsedive type corresponds to the type of data being requested.\n",
    "\n",
    "You can use `lookup_ioc` to perform all types of lookup operations by supplying the\n",
    "appropriate value for `pd_type`. The default for lookup_ioc is \"indicator\".\n",
    "\n",
    "Alteratively you can use the direct methods:\n",
    "- PDlookup.lookup_threat\n",
    "- PDlookup.explore\n",
    "- PDlookup.scan\n",
    "\n",
    "\n",
    "The available Pulsedive types are:\n",
    "\n",
    "* 'indicator': Retrieves information about a specific Indicator of Compromise (IOC), such as a domain name or IP.\n",
    "* 'threat': Retrieves information about a specific threat, such as a threat actor name or malware family. (e.g: ryuk, zeus)\n",
    "* 'explore': Queries the Pulsedive database using specific keywords.(e.g: \"ioc=pulsedive.com or threat=ryuk\")\n",
    "* 'scan': Scans a domain name or IP."
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Indicator"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 3,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>qid</th>\n",
       "      <th>iid</th>\n",
       "      <th>indicator</th>\n",
       "      <th>type</th>\n",
       "      <th>risk</th>\n",
       "      <th>risk_recommended</th>\n",
       "      <th>manualrisk</th>\n",
       "      <th>retired</th>\n",
       "      <th>stamp_added</th>\n",
       "      <th>stamp_updated</th>\n",
       "      <th>...</th>\n",
       "      <th>properties.banners.22</th>\n",
       "      <th>properties.banners.21</th>\n",
       "      <th>properties.dns.a</th>\n",
       "      <th>properties.dns.ns</th>\n",
       "      <th>properties.dns.rname</th>\n",
       "      <th>properties.dns.mname</th>\n",
       "      <th>properties.dns.mx</th>\n",
       "      <th>properties.dns.txt</th>\n",
       "      <th>properties.dns.soa</th>\n",
       "      <th>properties.dom.screenshot</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>None</td>\n",
       "      <td>2</td>\n",
       "      <td>alvoportas.com.br</td>\n",
       "      <td>domain</td>\n",
       "      <td>none</td>\n",
       "      <td>none</td>\n",
       "      <td>0</td>\n",
       "      <td>None</td>\n",
       "      <td>2017-09-27 18:11:38</td>\n",
       "      <td>2023-01-19 03:01:59</td>\n",
       "      <td>...</td>\n",
       "      <td>SSH-2.0-OpenSSH_7.4\\n</td>\n",
       "      <td>220---------- Welcome to Pure-FTPd [privsep] [...</td>\n",
       "      <td>162.241.60.111</td>\n",
       "      <td>[nspro15.hostgator.com.br, nspro14.hostgator.c...</td>\n",
       "      <td>root@sh-pro14.hostgator.com.br</td>\n",
       "      <td>nspro14.hostgator.com.br</td>\n",
       "      <td>mail.alvoportas.com.br</td>\n",
       "      <td>v=spf1 ip4:69.49.252.72 ip4:162.241.60.107 a m...</td>\n",
       "      <td>nspro14.hostgator.com.br. root.sh-pro14.hostga...</td>\n",
       "      <td>https://sandbox.pulsedive.com/screenshots/b590...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>1 rows × 79 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "    qid  iid          indicator    type  risk risk_recommended  manualrisk  \\\n",
       "0  None    2  alvoportas.com.br  domain  none             none           0   \n",
       "\n",
       "  retired          stamp_added        stamp_updated  ...  \\\n",
       "0    None  2017-09-27 18:11:38  2023-01-19 03:01:59  ...   \n",
       "\n",
       "   properties.banners.22                              properties.banners.21  \\\n",
       "0  SSH-2.0-OpenSSH_7.4\\n  220---------- Welcome to Pure-FTPd [privsep] [...   \n",
       "\n",
       "  properties.dns.a                                  properties.dns.ns  \\\n",
       "0   162.241.60.111  [nspro15.hostgator.com.br, nspro14.hostgator.c...   \n",
       "\n",
       "             properties.dns.rname      properties.dns.mname  \\\n",
       "0  root@sh-pro14.hostgator.com.br  nspro14.hostgator.com.br   \n",
       "\n",
       "        properties.dns.mx                                 properties.dns.txt  \\\n",
       "0  mail.alvoportas.com.br  v=spf1 ip4:69.49.252.72 ip4:162.241.60.107 a m...   \n",
       "\n",
       "                                  properties.dns.soa  \\\n",
       "0  nspro14.hostgator.com.br. root.sh-pro14.hostga...   \n",
       "\n",
       "                           properties.dom.screenshot  \n",
       "0  https://sandbox.pulsedive.com/screenshots/b590...  \n",
       "\n",
       "[1 rows x 79 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "pddetail = pdlookup.lookup_ioc(observable = \"alvoportas.com.br\", pd_type = \"indicator\")\n",
    "display(pddetail)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Threats"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 4,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>tid</th>\n",
       "      <th>threat</th>\n",
       "      <th>category</th>\n",
       "      <th>othernames</th>\n",
       "      <th>risk</th>\n",
       "      <th>description</th>\n",
       "      <th>wikisummary</th>\n",
       "      <th>wikireference</th>\n",
       "      <th>retired</th>\n",
       "      <th>stamp_added</th>\n",
       "      <th>...</th>\n",
       "      <th>summary.attributes.technology.Nginx.indicators</th>\n",
       "      <th>summary.attributes.technology.Nginx.aid</th>\n",
       "      <th>summary.risk.unknown</th>\n",
       "      <th>summary.risk.low</th>\n",
       "      <th>summary.risk.medium</th>\n",
       "      <th>summary.risk.high</th>\n",
       "      <th>summary.risk.critical</th>\n",
       "      <th>summary.risk.retired</th>\n",
       "      <th>summary.risk.total</th>\n",
       "      <th>summary.risk.none</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>1</td>\n",
       "      <td>Zeus</td>\n",
       "      <td>malware</td>\n",
       "      <td>[Zbot]</td>\n",
       "      <td>high</td>\n",
       "      <td></td>\n",
       "      <td>Zeus, ZeuS, or Zbot  is a Trojan horse malware...</td>\n",
       "      <td>https://en.wikipedia.org/wiki/Zeus_(malware)</td>\n",
       "      <td>None</td>\n",
       "      <td>2017-09-27 18:11:38</td>\n",
       "      <td>...</td>\n",
       "      <td>23</td>\n",
       "      <td>65095</td>\n",
       "      <td>42</td>\n",
       "      <td>21</td>\n",
       "      <td>10</td>\n",
       "      <td>2</td>\n",
       "      <td>0</td>\n",
       "      <td>744</td>\n",
       "      <td>1000</td>\n",
       "      <td>181</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>1 rows × 85 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "   tid threat category othernames  risk description  \\\n",
       "0    1   Zeus  malware     [Zbot]  high               \n",
       "\n",
       "                                         wikisummary  \\\n",
       "0  Zeus, ZeuS, or Zbot  is a Trojan horse malware...   \n",
       "\n",
       "                                  wikireference retired          stamp_added  \\\n",
       "0  https://en.wikipedia.org/wiki/Zeus_(malware)    None  2017-09-27 18:11:38   \n",
       "\n",
       "   ... summary.attributes.technology.Nginx.indicators  \\\n",
       "0  ...                                             23   \n",
       "\n",
       "  summary.attributes.technology.Nginx.aid summary.risk.unknown  \\\n",
       "0                                   65095                   42   \n",
       "\n",
       "  summary.risk.low summary.risk.medium summary.risk.high  \\\n",
       "0               21                  10                 2   \n",
       "\n",
       "  summary.risk.critical summary.risk.retired summary.risk.total  \\\n",
       "0                     0                  744               1000   \n",
       "\n",
       "  summary.risk.none  \n",
       "0               181  \n",
       "\n",
       "[1 rows x 85 columns]"
      ]
     },
     "metadata": {},
     "output_type": "display_data"
    }
   ],
   "source": [
    "pddetail = pdlookup.lookup_threa(observable=\"zeus\")\n",
    "display(pddetail)"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "## Explore \n",
    "\n",
    "The query language allows you to search across the dataset with boolean logic and wildcards. You can search indicators by value, type, risk, last seen timestamp, threat, feed, attribute, and property, or any combination. \n",
    "More details here: https://pulsedive.com/explore/\n",
    "\n",
    "\n",
    "### Search Fields\n",
    "The below tables show the field that can be used for this request:\n",
    "\n",
    "Search Field | Description | Example Query\n",
    "--- | --- | ---\n",
    "ioc | Search by indicator value. Default if the search field is omitted. | ioc=pulsedive.com, ioc=pulsedive*\n",
    "attribute |Search by attribute. Includes ports, protocols, and technologies. | port=443, protocol=http*, technology=apache, port=80 and port=443\n",
    "property | Search by property. | dns.a=45.55.106.210, meta=*pulsedive*, content-type=text/html*, ssl=\"*let's encrypt*\"\n",
    "threat | Search by threat name or alias. | threat=ryuk, threat=*zeus*\n",
    "feed | Search by feed name or organization. | feed=urlhaus, feed=abuse.ch\n",
    "type | Search by indicator type. | type=url, type=domain,ip,ipv6\n",
    "risk | Search by indicator risk. | risk=critical, risk=low,medium, risk=high+, risk=low-\n",
    "seen | Search by Last Seen timestamp. (UTC) | seen=day, seen=week, seen=month, seen=2020-01-01, seen=2022-01-01+, seen=2021-12-31-, seen=2020-01-01-2020-12-31\n",
    "active, retired | Search by active or retired status. | active=true, retired=0\n",
    "\n",
    "### Boolean Logic and Wildcards\n",
    "Explore queries allow for AND, OR, and NOT operations. Wildcards are also allowed.\n",
    "\n",
    "| Operation | Operator | Example Query |\n",
    "| --- | --- | --- |\n",
    "| AND | &, &&, and | pulsedive.com && type=domain |\n",
    "|   |   | pulsedive.com type=domain |\n",
    "| OR | |, ||, or | google.com or pulsedive* |\n",
    "|   |   | (*pulsedive* and type=domain) | threat=phishing |\n",
    "| NOT | != | risk!=medium- |\n",
    "| Wildcard | * | *pulsedive* |\n",
    "\n"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 5,
   "metadata": {},
   "outputs": [
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>iid</th>\n",
       "      <th>indicator</th>\n",
       "      <th>type</th>\n",
       "      <th>risk</th>\n",
       "      <th>stamp_added</th>\n",
       "      <th>stamp_updated</th>\n",
       "      <th>stamp_seen</th>\n",
       "      <th>summary.properties.whois.++privacy</th>\n",
       "      <th>summary.properties.geo.country</th>\n",
       "      <th>summary.properties.geo.countrycode</th>\n",
       "      <th>...</th>\n",
       "      <th>summary.properties.http.++content-type</th>\n",
       "      <th>summary.attributes</th>\n",
       "      <th>summary.domainiid</th>\n",
       "      <th>summary.properties.whois.++gdpr</th>\n",
       "      <th>summary.domain</th>\n",
       "      <th>summary.properties.geo.org</th>\n",
       "      <th>summary.properties.dns.ptr</th>\n",
       "      <th>stamp_retired</th>\n",
       "      <th>summary.properties.http</th>\n",
       "      <th>summary</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>53929</td>\n",
       "      <td>pulsedive.com</td>\n",
       "      <td>domain</td>\n",
       "      <td>none</td>\n",
       "      <td>2017-10-04 01:20:55</td>\n",
       "      <td>2023-01-19 02:20:24</td>\n",
       "      <td>2023-01-19 02:20:24</td>\n",
       "      <td>1</td>\n",
       "      <td>Canada</td>\n",
       "      <td>CA</td>\n",
       "      <td>...</td>\n",
       "      <td>text/html</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>1</th>\n",
       "      <td>102</td>\n",
       "      <td>dns10.parkpage.foundationapi.com</td>\n",
       "      <td>domain</td>\n",
       "      <td>none</td>\n",
       "      <td>2017-09-27 18:11:57</td>\n",
       "      <td>2023-01-17 20:18:41</td>\n",
       "      <td>2023-01-17 20:18:41</td>\n",
       "      <td></td>\n",
       "      <td>United States of America</td>\n",
       "      <td>US</td>\n",
       "      <td>...</td>\n",
       "      <td>text/html</td>\n",
       "      <td>[]</td>\n",
       "      <td>103.0</td>\n",
       "      <td></td>\n",
       "      <td>foundationapi.com</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>2</th>\n",
       "      <td>107</td>\n",
       "      <td>dns9.parkpage.foundationapi.com</td>\n",
       "      <td>domain</td>\n",
       "      <td>none</td>\n",
       "      <td>2017-09-27 18:11:57</td>\n",
       "      <td>2023-01-17 20:18:41</td>\n",
       "      <td>2023-01-17 20:18:41</td>\n",
       "      <td></td>\n",
       "      <td>United States of America</td>\n",
       "      <td>US</td>\n",
       "      <td>...</td>\n",
       "      <td>text/html</td>\n",
       "      <td>[]</td>\n",
       "      <td>103.0</td>\n",
       "      <td></td>\n",
       "      <td>foundationapi.com</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>3</th>\n",
       "      <td>116</td>\n",
       "      <td>209.99.40.222</td>\n",
       "      <td>ip</td>\n",
       "      <td>none</td>\n",
       "      <td>2017-09-27 18:11:58</td>\n",
       "      <td>2023-01-17 07:09:04</td>\n",
       "      <td>2023-01-17 04:14:28</td>\n",
       "      <td>NaN</td>\n",
       "      <td>VG</td>\n",
       "      <td>US</td>\n",
       "      <td>...</td>\n",
       "      <td>text/html</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>CENTURYLINK-LEGACY-LVLT-203</td>\n",
       "      <td>209-99-40-222.fwd.datafoundry.com</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>4</th>\n",
       "      <td>117</td>\n",
       "      <td>ns2.parkingcrew.net</td>\n",
       "      <td>domain</td>\n",
       "      <td>none</td>\n",
       "      <td>2017-09-27 18:11:58</td>\n",
       "      <td>2023-01-18 16:00:04</td>\n",
       "      <td>2023-01-18 16:00:04</td>\n",
       "      <td>1</td>\n",
       "      <td>Germany</td>\n",
       "      <td>DE</td>\n",
       "      <td>...</td>\n",
       "      <td>text/html</td>\n",
       "      <td>[]</td>\n",
       "      <td>118.0</td>\n",
       "      <td>1</td>\n",
       "      <td>parkingcrew.net</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>...</th>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "      <td>...</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>95</th>\n",
       "      <td>3673600</td>\n",
       "      <td>http://www.agentfalco.xyz/Webl/word.exe</td>\n",
       "      <td>url</td>\n",
       "      <td>medium</td>\n",
       "      <td>2018-12-02 17:44:38</td>\n",
       "      <td>2021-11-03 23:43:16</td>\n",
       "      <td>2021-08-02 05:32:05</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>[]</td>\n",
       "      <td>4340111.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>www.agentfalco.xyz</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>2021-11-03 23:43:16</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>96</th>\n",
       "      <td>3673823</td>\n",
       "      <td>https://f.coka.la/EJ6Q7V.jpg</td>\n",
       "      <td>url</td>\n",
       "      <td>medium</td>\n",
       "      <td>2018-12-02 17:45:12</td>\n",
       "      <td>2021-11-03 23:43:16</td>\n",
       "      <td>2021-08-02 05:36:52</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>...</td>\n",
       "      <td>text/html</td>\n",
       "      <td>[]</td>\n",
       "      <td>3655358.0</td>\n",
       "      <td>NaN</td>\n",
       "      <td>f.coka.la</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>2021-11-03 23:43:16</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>97</th>\n",
       "      <td>3687390</td>\n",
       "      <td>23.20.239.12</td>\n",
       "      <td>ip</td>\n",
       "      <td>none</td>\n",
       "      <td>2018-12-05 05:47:57</td>\n",
       "      <td>2023-01-17 07:57:32</td>\n",
       "      <td>2023-01-12 05:56:22</td>\n",
       "      <td>NaN</td>\n",
       "      <td>United States of America</td>\n",
       "      <td>US</td>\n",
       "      <td>...</td>\n",
       "      <td>text/html</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>AMAZON-AES</td>\n",
       "      <td>ec2-23-20-239-12.compute-1.amazonaws.com</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>98</th>\n",
       "      <td>3687391</td>\n",
       "      <td>18.211.9.206</td>\n",
       "      <td>ip</td>\n",
       "      <td>none</td>\n",
       "      <td>2018-12-05 05:47:57</td>\n",
       "      <td>2023-01-17 05:07:37</td>\n",
       "      <td>2022-06-01 01:47:02</td>\n",
       "      <td>NaN</td>\n",
       "      <td>United States of America</td>\n",
       "      <td>US</td>\n",
       "      <td>...</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>AMAZON-AES</td>\n",
       "      <td>ec2-18-211-9-206.compute-1.amazonaws.com</td>\n",
       "      <td>2022-09-03 02:44:42</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "    <tr>\n",
       "      <th>99</th>\n",
       "      <td>3694195</td>\n",
       "      <td>http://amsi.co.za/zzam/cjz.exe</td>\n",
       "      <td>url</td>\n",
       "      <td>medium</td>\n",
       "      <td>2018-12-06 06:33:12</td>\n",
       "      <td>2021-10-01 06:13:44</td>\n",
       "      <td>2021-07-01 05:07:00</td>\n",
       "      <td>NaN</td>\n",
       "      <td>REDACTED</td>\n",
       "      <td>ZA</td>\n",
       "      <td>...</td>\n",
       "      <td>text/html</td>\n",
       "      <td>[]</td>\n",
       "      <td>3164623.0</td>\n",
       "      <td>1</td>\n",
       "      <td>amsi.co.za</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "      <td>2021-10-01 06:13:44</td>\n",
       "      <td>NaN</td>\n",
       "      <td>NaN</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>100 rows × 23 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "        iid                                indicator    type    risk  \\\n",
       "0     53929                            pulsedive.com  domain    none   \n",
       "1       102         dns10.parkpage.foundationapi.com  domain    none   \n",
       "2       107          dns9.parkpage.foundationapi.com  domain    none   \n",
       "3       116                            209.99.40.222      ip    none   \n",
       "4       117                      ns2.parkingcrew.net  domain    none   \n",
       "..      ...                                      ...     ...     ...   \n",
       "95  3673600  http://www.agentfalco.xyz/Webl/word.exe     url  medium   \n",
       "96  3673823             https://f.coka.la/EJ6Q7V.jpg     url  medium   \n",
       "97  3687390                             23.20.239.12      ip    none   \n",
       "98  3687391                             18.211.9.206      ip    none   \n",
       "99  3694195           http://amsi.co.za/zzam/cjz.exe     url  medium   \n",
       "\n",
       "            stamp_added        stamp_updated           stamp_seen  \\\n",
       "0   2017-10-04 01:20:55  2023-01-19 02:20:24  2023-01-19 02:20:24   \n",
       "1   2017-09-27 18:11:57  2023-01-17 20:18:41  2023-01-17 20:18:41   \n",
       "2   2017-09-27 18:11:57  2023-01-17 20:18:41  2023-01-17 20:18:41   \n",
       "3   2017-09-27 18:11:58  2023-01-17 07:09:04  2023-01-17 04:14:28   \n",
       "4   2017-09-27 18:11:58  2023-01-18 16:00:04  2023-01-18 16:00:04   \n",
       "..                  ...                  ...                  ...   \n",
       "95  2018-12-02 17:44:38  2021-11-03 23:43:16  2021-08-02 05:32:05   \n",
       "96  2018-12-02 17:45:12  2021-11-03 23:43:16  2021-08-02 05:36:52   \n",
       "97  2018-12-05 05:47:57  2023-01-17 07:57:32  2023-01-12 05:56:22   \n",
       "98  2018-12-05 05:47:57  2023-01-17 05:07:37  2022-06-01 01:47:02   \n",
       "99  2018-12-06 06:33:12  2021-10-01 06:13:44  2021-07-01 05:07:00   \n",
       "\n",
       "   summary.properties.whois.++privacy summary.properties.geo.country  \\\n",
       "0                                   1                         Canada   \n",
       "1                                           United States of America   \n",
       "2                                           United States of America   \n",
       "3                                 NaN                             VG   \n",
       "4                                   1                        Germany   \n",
       "..                                ...                            ...   \n",
       "95                                NaN                            NaN   \n",
       "96                                NaN                            NaN   \n",
       "97                                NaN       United States of America   \n",
       "98                                NaN       United States of America   \n",
       "99                                NaN                       REDACTED   \n",
       "\n",
       "   summary.properties.geo.countrycode  ...  \\\n",
       "0                                  CA  ...   \n",
       "1                                  US  ...   \n",
       "2                                  US  ...   \n",
       "3                                  US  ...   \n",
       "4                                  DE  ...   \n",
       "..                                ...  ...   \n",
       "95                                NaN  ...   \n",
       "96                                NaN  ...   \n",
       "97                                 US  ...   \n",
       "98                                 US  ...   \n",
       "99                                 ZA  ...   \n",
       "\n",
       "   summary.properties.http.++content-type summary.attributes  \\\n",
       "0                               text/html                NaN   \n",
       "1                               text/html                 []   \n",
       "2                               text/html                 []   \n",
       "3                               text/html                NaN   \n",
       "4                               text/html                 []   \n",
       "..                                    ...                ...   \n",
       "95                                    NaN                 []   \n",
       "96                              text/html                 []   \n",
       "97                              text/html                NaN   \n",
       "98                                    NaN                NaN   \n",
       "99                              text/html                 []   \n",
       "\n",
       "   summary.domainiid summary.properties.whois.++gdpr      summary.domain  \\\n",
       "0                NaN                             NaN                 NaN   \n",
       "1              103.0                                   foundationapi.com   \n",
       "2              103.0                                   foundationapi.com   \n",
       "3                NaN                             NaN                 NaN   \n",
       "4              118.0                               1     parkingcrew.net   \n",
       "..               ...                             ...                 ...   \n",
       "95         4340111.0                             NaN  www.agentfalco.xyz   \n",
       "96         3655358.0                             NaN           f.coka.la   \n",
       "97               NaN                             NaN                 NaN   \n",
       "98               NaN                             NaN                 NaN   \n",
       "99         3164623.0                               1          amsi.co.za   \n",
       "\n",
       "     summary.properties.geo.org                summary.properties.dns.ptr  \\\n",
       "0                           NaN                                       NaN   \n",
       "1                           NaN                                       NaN   \n",
       "2                           NaN                                       NaN   \n",
       "3   CENTURYLINK-LEGACY-LVLT-203         209-99-40-222.fwd.datafoundry.com   \n",
       "4                           NaN                                       NaN   \n",
       "..                          ...                                       ...   \n",
       "95                          NaN                                       NaN   \n",
       "96                          NaN                                       NaN   \n",
       "97                   AMAZON-AES  ec2-23-20-239-12.compute-1.amazonaws.com   \n",
       "98                   AMAZON-AES  ec2-18-211-9-206.compute-1.amazonaws.com   \n",
       "99                          NaN                                       NaN   \n",
       "\n",
       "          stamp_retired summary.properties.http summary  \n",
       "0                   NaN                     NaN     NaN  \n",
       "1                   NaN                     NaN     NaN  \n",
       "2                   NaN                     NaN     NaN  \n",
       "3                   NaN                     NaN     NaN  \n",
       "4                   NaN                     NaN     NaN  \n",
       "..                  ...                     ...     ...  \n",
       "95  2021-11-03 23:43:16                     NaN     NaN  \n",
       "96  2021-11-03 23:43:16                     NaN     NaN  \n",
       "97                  NaN                     NaN     NaN  \n",
       "98  2022-09-03 02:44:42                     NaN     NaN  \n",
       "99  2021-10-01 06:13:44                     NaN     NaN  \n",
       "\n",
       "[100 rows x 23 columns]"
      ]
     },
     "execution_count": 5,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "pddetail = pdlookup.explore(query=\"ioc=pulsedive.com or threat=AgentTesla\")\n",
    "pddetail"
   ]
  },
  {
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "# Scan\n",
    "This type allows you to analyze a specific indicator such as a domain name or IP address by sending a request to the Pulsedive API. The function returns the result in the form of a Pandas DataFrame, however, it should be noted that this process can take some time as the indicator is being analyzed. This function is useful for analyzing indicators that have not yet been seen in the Pulsedive database and can provide additional information and context."
   ]
  },
  {
   "cell_type": "code",
   "execution_count": 6,
   "metadata": {},
   "outputs": [
    {
     "name": "stdout",
     "output_type": "stream",
     "text": [
      "processing\n"
     ]
    },
    {
     "data": {
      "text/html": [
       "<div>\n",
       "<style scoped>\n",
       "    .dataframe tbody tr th:only-of-type {\n",
       "        vertical-align: middle;\n",
       "    }\n",
       "\n",
       "    .dataframe tbody tr th {\n",
       "        vertical-align: top;\n",
       "    }\n",
       "\n",
       "    .dataframe thead th {\n",
       "        text-align: right;\n",
       "    }\n",
       "</style>\n",
       "<table border=\"1\" class=\"dataframe\">\n",
       "  <thead>\n",
       "    <tr style=\"text-align: right;\">\n",
       "      <th></th>\n",
       "      <th>qid</th>\n",
       "      <th>iid</th>\n",
       "      <th>indicator</th>\n",
       "      <th>type</th>\n",
       "      <th>risk</th>\n",
       "      <th>risk_recommended</th>\n",
       "      <th>manualrisk</th>\n",
       "      <th>retired</th>\n",
       "      <th>stamp_added</th>\n",
       "      <th>stamp_updated</th>\n",
       "      <th>...</th>\n",
       "      <th>properties.dns.txt</th>\n",
       "      <th>properties.dns.soa</th>\n",
       "      <th>properties.dom.screenshot</th>\n",
       "      <th>links.Active DNS</th>\n",
       "      <th>links.Sources</th>\n",
       "      <th>links.Mail Servers</th>\n",
       "      <th>links.Name Servers</th>\n",
       "      <th>links.Related Domains</th>\n",
       "      <th>links.Redirects</th>\n",
       "      <th>links.Related URLs</th>\n",
       "    </tr>\n",
       "  </thead>\n",
       "  <tbody>\n",
       "    <tr>\n",
       "      <th>0</th>\n",
       "      <td>722111366</td>\n",
       "      <td>2</td>\n",
       "      <td>alvoportas.com.br</td>\n",
       "      <td>domain</td>\n",
       "      <td>none</td>\n",
       "      <td>none</td>\n",
       "      <td>0</td>\n",
       "      <td>None</td>\n",
       "      <td>2017-09-27 18:11:38</td>\n",
       "      <td>2023-01-19 03:04:22</td>\n",
       "      <td>...</td>\n",
       "      <td>v=spf1 ip4:69.49.252.72 ip4:162.241.60.107 a m...</td>\n",
       "      <td>nspro14.hostgator.com.br. root.sh-pro14.hostga...</td>\n",
       "      <td>https://sandbox.pulsedive.com/screenshots/b590...</td>\n",
       "      <td>[{'iid': 6, 'indicator': 'ns2.emidhost4.com.br...</td>\n",
       "      <td>[{'iid': 4549968, 'indicator': 'https://www.al...</td>\n",
       "      <td>[{'iid': 37438712, 'indicator': 'mail.alvoport...</td>\n",
       "      <td>[{'iid': 11175125, 'indicator': 'nspro14.hostg...</td>\n",
       "      <td>[{'iid': 4238057, 'indicator': 'www.alvoportas...</td>\n",
       "      <td>[{'iid': 37438713, 'indicator': 'http://alvopo...</td>\n",
       "      <td>[{'iid': 2839792, 'indicator': 'http://alvopor...</td>\n",
       "    </tr>\n",
       "  </tbody>\n",
       "</table>\n",
       "<p>1 rows × 86 columns</p>\n",
       "</div>"
      ],
      "text/plain": [
       "         qid  iid          indicator    type  risk risk_recommended  \\\n",
       "0  722111366    2  alvoportas.com.br  domain  none             none   \n",
       "\n",
       "   manualrisk retired          stamp_added        stamp_updated  ...  \\\n",
       "0           0    None  2017-09-27 18:11:38  2023-01-19 03:04:22  ...   \n",
       "\n",
       "                                  properties.dns.txt  \\\n",
       "0  v=spf1 ip4:69.49.252.72 ip4:162.241.60.107 a m...   \n",
       "\n",
       "                                  properties.dns.soa  \\\n",
       "0  nspro14.hostgator.com.br. root.sh-pro14.hostga...   \n",
       "\n",
       "                           properties.dom.screenshot  \\\n",
       "0  https://sandbox.pulsedive.com/screenshots/b590...   \n",
       "\n",
       "                                    links.Active DNS  \\\n",
       "0  [{'iid': 6, 'indicator': 'ns2.emidhost4.com.br...   \n",
       "\n",
       "                                       links.Sources  \\\n",
       "0  [{'iid': 4549968, 'indicator': 'https://www.al...   \n",
       "\n",
       "                                  links.Mail Servers  \\\n",
       "0  [{'iid': 37438712, 'indicator': 'mail.alvoport...   \n",
       "\n",
       "                                  links.Name Servers  \\\n",
       "0  [{'iid': 11175125, 'indicator': 'nspro14.hostg...   \n",
       "\n",
       "                               links.Related Domains  \\\n",
       "0  [{'iid': 4238057, 'indicator': 'www.alvoportas...   \n",
       "\n",
       "                                     links.Redirects  \\\n",
       "0  [{'iid': 37438713, 'indicator': 'http://alvopo...   \n",
       "\n",
       "                                  links.Related URLs  \n",
       "0  [{'iid': 2839792, 'indicator': 'http://alvopor...  \n",
       "\n",
       "[1 rows x 86 columns]"
      ]
     },
     "execution_count": 6,
     "metadata": {},
     "output_type": "execute_result"
    }
   ],
   "source": [
    "pdscan = pdlookup.scan(observable= \"alvoportas.com.br\")\n",
    "pdscan"
   ]
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "Python 3 (ipykernel)",
   "language": "python",
   "name": "python3"
  },
  "language_info": {
   "codemirror_mode": {
    "name": "ipython",
    "version": 3
   },
   "file_extension": ".py",
   "mimetype": "text/x-python",
   "name": "python",
   "nbconvert_exporter": "python",
   "pygments_lexer": "ipython3",
   "version": "3.9.8"
  },
  "vscode": {
   "interpreter": {
    "hash": "11feda34545c9af0495d8c8d6854b4469c1219b03eba0db0aa3ba1c9e34588aa"
   }
  }
 },
 "nbformat": 4,
 "nbformat_minor": 4
}
